Summary: | Crashes if the document inside iframe is removed during pasting some text into it. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Hajime Morrita <morrita> | ||||||
Component: | HTML Editing | Assignee: | Hajime Morrita <morrita> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | ademar, rniwa, tkent | ||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Hajime Morrita
2011-05-09 22:32:33 PDT
Created attachment 92929 [details]
Patch
Comment on attachment 92929 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review > LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:12 > + // Calls notifyDone() before because the removal > + // can terminate the scdript execution. > + if (window.parent.layoutTestController) > + window.parent.layoutTestController.notifyDone(); > + var toRemove = window.parent.document.getElementById("child"); > + toRemove.parentNode.removeChild(toRemove); Does this correctly crash without the Editor.cpp change? I think notifyDone() immediately terminates the test. Hi Kent-san, thank you for taking a look!
> Does this correctly crash without the Editor.cpp change?
> I think notifyDone() immediately terminates the test.
It works for Mac DRT which just set flag on notifyDone() to exit the event loop.
But I have no idea for other port.
So I'd like to search safer way.
(In reply to comment #3) I think we can use a DOM mutation event in the parent document. Comment on attachment 92929 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review > LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:8 > + // can terminate the scdript execution. Typo: scdript > LayoutTests/editing/pasteboard/resources/paste-removing-iframe-child.html:10 > + if (window.parent.layoutTestController) > + window.parent.layoutTestController.notifyDone(); You can't call notifyDone before removing the node. (In reply to comment #4) > (In reply to comment #3) > I think we can use a DOM mutation event in the parent document. Can't we just do setTimeout(function() {layoutTestController.notifyDone();}, 0) ? Comment on attachment 92929 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92929&action=review r- per various commets. > LayoutTests/editing/pasteboard/paste-removing-iframe.html:9 > +<h1>PASS unless crash.</h1> You need to be more descriptive here. Also, you should just print PASS when WebKit didn't crash. Created attachment 93242 [details]
Patch
Kent-san, Ryosuke, thank you for reviewing!
I updated the patch, in which I moved test script from child frame to parent frame.
> > LayoutTests/editing/pasteboard/paste-removing-iframe.html:9
> > +<h1>PASS unless crash.</h1>
>
> You need to be more descriptive here. Also, you should just print PASS when WebKit didn't crash.
Add more explanation as a comment (to make explanation small)
and simplify the text.
Comment on attachment 93242 [details]
Patch
ok
Committed r86311: <http://trac.webkit.org/changeset/86311> Revision r86311 cherry-picked into qtwebkit-2.2 with commit 25483fc <http://gitorious.org/webkit/qtwebkit/commit/25483fc> |